E-COMMERCE
SECURITY:
How Much is Enough?
by Chris Van Sant, IVANS,
Inc.
(Originally published in Messaging Magazine,
September/October 1999)
As the surge of online consumers continues, e-commerce security is drawing more and more attention from businesses and consumers alike. But one issue—the security of proprietary information sent over the Internet—keeps getting in the way.
In expanding access to e-commerce solutions, organizations increase their risk of exposing vital corporate information to external parties. This vulnerability was highlighted earlier this year when a computer virus spread rapidly. Such viruses and hacker tools are available around the world virtually instantaneously via the Web. Viral detection software can find and eliminate computer viruses. However, even when one problem is addressed, companies cannot get too comfortable, because safe today does not mean safe tomorrow.
Creating an infrastructure to protect a company, its trading partners, and its customers is crucial if businesses are to realize the full potential of the Internet. Nonetheless, finding the right balance between the hype and reality of security issues continues to be a challenge for many businesses.
The insurance industry provides a good example of the importance of security in e-commerce.
The most important value of an insurance company is its trust and reputation. Once the trust is compromised, the company quickly loses its reputation. Customers must believe that any information supplied to the company will be appropriately safeguarded. In general, insurance data is not considered an exciting target for hackers. However, any breach in the security of confidential information surrounding personal property, medical history, or life insurance would be detrimental to the credibility of an insurance company or its agent.
Imagine a hacker who creates a fraudulent website posing as an insurance agent for all of the large companies. With that façade, the hacker could collect credit card information, while pretending to write insurance policies, but without ever insuring the consumer. This would pose a serious credibility issue for any insurance company.
A study conducted by GTE Internetworking revealed that data access control—including authentication, encryption, integrity, and non-repudiation—is the single biggest concern of both insurance companies and agencies. Agencies and insurance companies share this concern, since each has specific competitive business reasons and responsibilities for protecting data under their control.
As they begin to formalize a threat model (as a first step in determining the appropriate level of computer security), organizations should identify the data that they wish to protect, classify this data accordingly to its value, and implement the necessary physical and electronic protection. For example, sales literature would be classified as low-risk, while credit card numbers and legal information would be considered high-risk. High-risk data may require locked facilities, or even electronic protection with smart cards, to limit access to a select few.
No matter what the need or solution, there is no such thing as perfect security. Moreover, security in any e-commerce scenario is only as good as the weakest link, which also extends to e-commerce partners. By classifying data and implementing proper control measures, companies can decide what information can be distributed to business partners, and what audit mechanisms should be in place to monitor the activities. Security is not easy, it takes time and perseverance to properly manage and monitor the infrastructure.
To compound the problem, not all security vulnerabilities—or countermeasures—are of an electronic nature. For instance, a major vulnerability of current security systems is the ability of the culprits to determine passwords by reading them from notes left on or near computers. This is a key indicator that no amount of electronic security will be effective without also addressing procedural and physical security. In other words, security cannot stand alone. Everyone in the organization needs to understand and adhere to the established security guidelines.
User IDs and passwords are the most widespread authentication procedure. However, for a number of reasons, passwords do not offer strong authentication. Passwords must either be memorized or written down. Easily memorized passwords (such as the same word as the user’s ID) tend to be weak, and any weak password can be discovered using a cracker program. If users avoid easily remembered passwords, they tend to write down their passwords or post them on their monitors. As a result, the secrecy of these passwords cannot be ensured. In industries, such as insurance, where users must log into multiple systems from different companies, users become exasperated trying to maintain all of their user IDs and passwords.
User IDs and passwords are also subject to other, less visible problems. For example, they may be compromised if they are not properly protected whenever they are transmitted across a network.
Although security needs to be kept simple in order to ensure that all users can understand and adhere to it, it also needs to be sufficiently complex and sophisticated to ensure adequate protection. If the security is difficult to execute because of too many keystrokes or passwords, users will either not use the system or will find a way to circumvent the security system (by posting the password on their computers, for example).
Several technologies can be used to replace passwords. Public key cryptography is the most mature technology available for this purpose. The certificate authority in a Public Key Infrastructure (PKI) essentially serves as a trusted third party. In that capacity, the certificate authority authenticates a user according to specified criteria, and issues a certificate consisting of both public and private keys. The private key is typically generated on the user’s system, and never leaves that computer. This protects the private key so that it never needs to traverse the network. The private key can also be protected by a pass phrase, so that people can’t surreptitiously remove the private key. For even greater protection, the private key can be stored on a hardware security token, such as a smart card, which is portable and can be used on multiple computers.
According to International Data Corporation, every Internet-connected device will incorporate some form of encryption by the year 2004 to maintain privacy and ensure the integrity of interactions and e-commerce transactions.
The greatest requirement and challenge that organizations face in implementing a security solution, is finding a practical and reliable technology to authenticate users and company servers, in order to identify who is attempting to communicate. Digital certificates serve as electronic credentials to identify a user or server and to secure electronic commerce.
PKI is a strong, reliable technology for securing information traveling through the Internet. It is already prevalent in companies securing e-commerce, but the technology offers far more value that still can be realized. For example, PKI technology provides digital certificates that identify individuals or organization with unique digital IDs. The infrastructure of public key technology enables the receipt of requests for certificates, issues certificates, and revokes certificates. In essence, PKI provides a channel of trust.
Biometric identification provides another mechanism for authenticating identification, and can be used in conjunction with certificates to provide added protection. Biometric techniques include fingerprint identification, retinal or iris scans, face or hand geometry, and voice verification.
The bottom line is that organizations must consider numerous factors in order to calculate how much security is enough, and to define the issues and concerns that the security system must address. MM
For information on article reprints, contact Jay Devine, Communications Manager at jay.devine@ema.org.